viruses

From: akcs.joehorn@hpcvbbs.cv.hp.com (Joseph K. Horn)
Newsgroups: comp.sys.hp48
Subject: VIRUS ALERT
Keywords: virus vaccine
Message-ID: <294dc568:401comp.sys.hp48@hpcvbbs.cv.hp.com>
Date: 17 Dec 91 09:40:11 GMT
Lines: 141
* * * * * * * * * * * * * * * *
* *
* V I R U S A L E R T *
* *
* * * * * * * * * * * * * * * *
"Next to a battle lost, the greatest misery is a battle gained."
-- Wellington
It was just a matter of time. Three viruses (all very similar) have
been written for the HP 48. As if this weren't bad enough, they are
being spread around on college campuses as a practical joke. Not
funny at all, when it's your 48 that gets sick, then goes psychotic,
and finally dies.
I must admit, however, a certain morbid respect for the author(s);
these little timebombs are well written. When stripped from their
host program, they look like this harmless little 3-object snippit:
"*" External Code
where the * is the null character (displayed as a little square blob).
The "External" is not at all what it appears to be! It's really an
"external type 2" object, one of the four unused object types; and it
contains the real body of the virus, in System RPL. The subsequent
Code object merely jumps backwards into the External object, just past
its object header, thus executing its contents as an RPL program.
If you engage in promiscuous I/O with college students (who doesn't?),
be on the lookout for the following bogus "error messages":
"System Malfunction"
"Defective ROM"
"Damaged ROM"
"Invalid Addressing"
Also, the virus attaches itself to other program objects in the
current directory (thereby earning the name "virus"). Since it
modifies objects without your knowledge, it may wreak havoc that the
author(s) never intended, especially if you are into System RPL
programming. It may cause objects to be purged, entire directories to
be lost, memory corrupted, and even total Memory Clear. And the null
character at the beginning prevents you from removing the virus by
normal editing, because when you hit EDIT you'll get the "Can't Edit
Null Char." error message. This sucker not only propagates itself, it
even has self-preservation instincts! Geez.
Since the current "strains" of this virus all contain the same Code
object, it's easy to write a "vaccine" that checks a program for the
virus, and if found, "disinfects" it. If you'd like to do it
yourself, here's the recognizable 29.5-byte Code object:
In ASC-> format:
%%HP:T(1);
"CCD20630001741433450000EA1411C414334A0000CA14134E8F60DA808C4ECA"
Source code:
HP AG opcode
-------- ------------ --------
D1=D1+ 5 ADD.A #5,D1 174
A=DAT1 A MOVE.A @D1,A 143
LC(5) 5 MOVE.P5 #5,C 3450000
A=A-C A SUB.A C,A EA
DAT1=A A MOVE.A A,@D1 141
D1=D1- 5 SUB.A #5,D1 1C4
A=DAT1 A MOVE.A @D1,A 143
LC(5) 10 MOVE.P5 #A,C 34A0000
A=A+C A ADD.A C,A CA
DAT1=A A MOVE.A A,@D1 141
LC(5) #06F8E MOVE.P5 #06F8E,C 34E8F60
A=C A MOVE.A C,A DA
PC=(A) JUMP.A @A 808C
The "External" object immediately precedes this Code object. It
consists of its five-nibble prolog (02BCC), followed by a five-nibble
length field (nib distance to the following Code object). The length
field is immediately follwed by an RPL program object (beginning
D9D20, of course), which is the nucleus of the virus, the part that
does all the dirty work; the "DNA" part, as it were.
For obvious reasons, I will not post the virus itself.
Brian Maguire considered this sordid situation to be a delightful
programming challenge, and whipped up the following two programs.
'VACCINE.1' disinfects program objects, and 'CLEAN' disinfects entire
directories.
INSTRUCTIONS: Place program on stack and press VACCINE.1
to disinfect it, or run CLEAN to disinfect all the programs in
the current directory. Obviously it is best to keep these
programs protected in a card switched to the ROM position.
They can be run from there, for example via a CST key, or a
user-mode key assignment.
%%HP:T(1);
@ VACCINE.1 and CLEAN, by Brian Maguire
"69A20E33A8000000005034C45414E450D9D20E1632C53A2FA1A1A59C19C2A2DB
BF10A132D6E20109678BF104B0284E20906514343494E454E213DBBF1DCC02C4
23293632B2130B7000906514343494E454E21390D9D20D2951D9F81F3040D9D2
02A170D9D2013236A9226DA9160CA308813030040C9B267E126DA916C0126132
3698226DA916C0126D0040C9B2679E60CCD20630001741433450000EA1411C41
4334A0000CA14134E8F60DA808C79B30B2130EE170980505E170B2130B213072
25"
-------< Begin VACCINE in UUencoded format >-------
begin 600 virus
M2%!(4#0X+466*N`SB@`````%0TQ%04X%G2W@82-<H_(:&EK)D2PJO?L!&B-M
M+A"0=K@?0`N"Y`()5D%#0TE.12XQO?O1S"!,,I)C(RLQL`<`"59!0T-)3D4N
M,0F=+="2%9V/\0,$G2T@&@>=+1`C8YHBUIIAP#J`&`,#0,"Y8N<AUIIA#"$6
M(V.)(M::80PAU@`$G"MVZ0;,+6`#`'$4-$,%`.`:%,$4-$,*`,`:%$..;]"*
3@'RY`RLQX!X'B5!0'@<K,;`2`R``
`
end
-------< End VACCINE >-------
Here's the source code for the curious and curiouser:
'VACCINE.1' ( in System RPL )
:: CK1NoBlame CK&DISPATCH0 EIGHT
:: BEGIN
:: DUPLENCOMP #2= NOTcase FALSE DUP TWO NTHCOMPDROP
DTYPECOL? NOTcase DROPFALSE DUPLENCOMP #3= NOTcase
DROPFALSE THREE NTHCOMPDROP '
CODE 49 1741433450000EA1411C414334A0000CA14134E8F60DA808C
EQUAL
; WHILE CARCOMP REPEAT
;
;
'CLEAN' ( in User RPL )
\<< 8 TVARS LIST\-> 1 SWAP
FOR i DUP RCL VACCINE.1 SWAP STO
NEXT
\>>
Many thanx to Brian Maguire for making this potentially terrifying
situation so easy to cope with.
-jkh- EQU akcs.joehorn@hpcvbbs.cv.hp.com